China Financial Standards Technical Committe
     Chinese Version
  Home Page | About CFSTC | News On Standardization | Experts's View | Financial Standards | Laws and Regulations

Standardization Promotes Secure Development of Third-Party Payment

2018年05月25日   Views

Author LI Wei

From China Standardization

The global payment industry has been growing fast in recent years, driven by the in-depth integration of technological innovation and payment services and the application of mobile Internet, secure chips, big data, identity authentication and other technologies. Forms of payment products continue to evolve. Modes of payment service are increasingly becoming mobile and payment participants are diversified. Against such backdrop, third-party payment (TPP) has become a new impetus to innovative development in the financial field. TPP effectively meets diverse financial needs of individual users, small and micro businesses and other long-tail customer groups, thus playing a crucial role in driving information-based consumption, inclusive finance and economic development. In China, TPP service is provided principally by non-bank payment organizations that are licensed for payment service in accordance with the law. In 2016, non-bank payment organizations completed 66.33 billion Internet payment transactions with an aggregate value of RMB 54.25 trillion yuan, up by 98.60% and 124.27% from 2015 respectively.

From a social and market perspectives, the booming E-commerce industry has gradually pushed up the demand for small-value, high-frequency Internet payment services. TPP as a convenient and efficient service mode has boosted the market economy development. From the perspective of the financial sector, TPP provides a sound foundation for the development of new or small financial institutions, gives an impetus to payment market innovation and enhances the adequacy of competition in the financial field. From the technical perspective, an increasing number of FinTech companies begin to join the payment ecosystem based on their technological strength in Internet and smart terminal as well as the customer, merchant and supply chain resources that they have accumulated over years, which has promoted the technology industry development.

However, the fast-growing TPP sector is faced with many challenges, and the payment security situation is not optimistic. TPP is a network-based payment service mode that usually relies on virtual and open Internet to enable data exchange and information authentication among merchants, users and TPP service providers. Relative to conventional payment, risks of TPP are featured with faster contagion, higher invisibility, longer incubation period and stronger spillover effect. It even poses a bigger challenge to security in terms of sensitive information protection, customer fund security and business continuity. To ensure security of TPP transactions and information, all TPP service providers take different measures to address security issues and prevent risks in their own ways. For the same threat or security risk, different security measures will yield different results, leading to poor overall effectiveness. Therefore, standardization is an effective way to establish clear awareness of TPP security risks and reasonable precautions and promote healthy and orderly development of the TPP industry.

I. What attributes of TPP involve security

ISO TR 21941: 2017 Financial Services-Third-party Payment Service Providers published by ISO provides definitions of some key concepts, describes the current overall situation of TPP and introduces preliminary reference models and architecture. It is a fundamental document for TPP security research. Some countries and regions have also promulgated relevant laws and regulations to regulate TPP, which prescribe the dos and don’ts, the acceptable results and allowable methods of certain activities. Examples of such include the EU’s Payment Services Directive II (PSD2), and China’s Measures for the Payment Services Provided by Non-financial Institutions and Technical Requirements on Payment Service Facilities of Non-financial Institutions.

According to the situation of TPP development of some countries and regions, TPP attributes can be divided into two categories based on division of work, namely business-based (commercial) and technical-based. Business attributes determine what services are provided to customers and how business is operated. Technical attributes determine how to provide services via information system and other channels to customers efficiently and effectively. Both technical or business attributes are closely related to security. According to user demands, TPP attributes can be divided into functional and non-functional demands. Both types of demands are the foundation for information systems and the basis for providing products or services for users. In accordance with ISO/IEC 25000 series Systems and Software Engineering-Systems and Software Quality Requirements and Evaluation (SQuaRE), security is an important feature of information system quality.

Regardless of the way of categorizing attributes, IT is the crucial foundation for TPP, and IT security is the key to TPP development. TPP relies on technical security. Major TPP risks such as consumer information leakage and fund loss can be prevented by strengthening information infrastructure and improving technical standards for TPP. TPP issues other than IT security, which involve complicated economic and social issues, can be bound more efficiently by laws and regulations, such as fund security of TPP service providers and AML requirements.

With regard to international standards, although some countries and regions and ISO have started standardization work for TPP, there are no globally uniform standards for TPP security. Therefore, further work should be carried out on TPP IT security research and standardization by drawing upon the laws, regulations and technical standards of relevant countries and regions and their implementation.

II. For which level of IT security in TPP is standardization appropriate

The definition of security can be described in various ways. The definition of security evolves gradually over time towards the security objectives, security measures and security effectiveness. Security objective includes the combination of confidentiality, integrity and availability and also includes accountability and non-repudiation. Security measures include the prevention of unauthorized access or change and non-repudiation measures. Security effectiveness means the degree of protecting assets from threats and damage. Only when the security objective is determined can we make clear why measures should be taken and whether the expected effectiveness can be achieved.

Currently the payment business and technical modes are developing fast and ever-changing, leading to the difficulty in maintaining technical stability. In addition, the global imbalances in TPP development make TPP security linked closely to local social culture and economic environments. It is difficult for a specific security implementation scheme to be directly duplicated across jurisdictions.

Overall, the standardization of TPP security should focus on security objective other than specific implementation schemes. TPP security objective as the foundation for security measures is common and stable in nature, and therefore it is appropriate to consider TPP security as the preferred subject of standardization.

III. Necessity of developing TPP security objective standards

First, risks can be eliminated or controlled at a certain acceptable level by formulating TPP security objective standards, unifying TPP security high level framework, reasonably classifying risks and putting forward necessary tools and ways of risk prevention.

Second, TPP security objective standards impose no restrictions on the technical modes or technical solutions to achieve the security objective. Therefore, the standard allows compatibility of existing TPP systems to further enhance their security level, and also serves as a point of reference in the development of new systems to achieve a certain security level. Meanwhile, the advantages derived from technical innovation can be fully utilized to better achieve the security objective.

Third, TPP security objective standards promote all participants to unify security awareness and prevention level, to boost the level of trust among all parties to payment and to help IT system vendors (including internal IT departments of participants and external vendors) and payment participants (mainly including merchants, banks and TPP service providers) to provide and choose appropriate technical solutions more efficiently.

Fourth, TPP security objective standards tolerate differences in regulatory requirements among countries or regions. As such standards involve no specific implementation scheme, they are more applicable to cross-jurisdictional payment activities.

To sum up, TPP security objective standards allow coexistence of different participants, development stages and regional policy environments in an economical and efficient manner, effectively improve the payment security level, increase the efficiency of payment services and protect the legitimate rights and interests of consumers.

IV. How to establish TPP security objective standards

TPP security objective standards should be established pursuant to the fundamental principles of “uniform, simple, coordinated and optimal”. The “PDCA Cycle” standardization method and philosophy should be reasonably used to create the framework of TPP security objective standards according to the TPP practices and experience of relevant countries and regions. In Accordance with ISO/IEC 15408:2009 Information Technology-Security Techniques-Evaluation Criteria, to effectively prevent the occurrence of TPP security problems, it is suggested to create a universal TPP system protection profile (PP) document under the guidance of TPP security objective standards, to establish the particular TPP system security target (ST) documents from top down and to regulate and guide the TPP system security risk countermeasures from the perspectives of identifying protected assets and threats, determining assumptions and organizational security policy and formulating security objectives.


[1]      ISO/TR 13569:2005 Financial services — Information security guidelines

[2] ISO/IEC 12207:2008 Systems and software engineering — Software life cycle processes

[3] ISO/IEC/IEEE 15288:2015 Systems and software engineering — System life cycle processes

[4]      ISO/IEC 15408-1:2009 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general model

[5] ISO/TR 21941:2017 Financial services -- Third-party payment service providers

[6] ISO/IEC/IEEE 24765:2010 systems and software engineering-vocabulary

[7] ISO/IEC 25010-2011 Systems And Software Engineering - Systems And Software Quality Requirements And Evaluation (SQuaRE)- System And Software Quality Models    Tel:86-10-66199546
Addr: No.32 Chengfang street,Xi Cheng district,Beijing,China PostCode:100800